sophos-security-report-jul08-srna by vverge


									Security threat report update

This report gives a comprehensive insight into the events and trends that emerged during the
first half of 2008, and helps businesses to stay ahead of today’s increasingly covert threats.
© Copyright 2008. Sophos Plc.

All registered trademarks and copyrights are understood and recognized by Sophos.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means without the prior written permission of the publishers.
       Security threat report: July 2008

       Overview                                                           Six months at a glance

       Since the virus threat first appeared on the business radar       Total number of different malware threats in
       in the mid-1980s, the nature of the menace has changed            existence – over 11 million
       considerably.                                                     Biggest malware threat – SQL injection attack against
       Spreading slowly via floppy disks, and knowing nothing of         New web infections – 1 new infected webpage
       network drives or email, let alone the internet, early viruses    discovered every 5 seconds
       were written by mischief-makers, keen to gain notoriety and
                                                                         Spam-related webpages – 1 new page discovered
       kudos for their creations, or to create mindless damage. The      every 20 seconds
       motivation has changed over recent years and malicious
                                                                         Top malware-hosting country – US with 38%
       software (malware) is now largely in the hands of organized
       criminal gangs, who have no interest in creating headlines        Top spam-relaying continent – Asia with 35%
       for themselves, but do want to steal identities, hijack           Email with infected attachments – 1 in 2500
       computers and compromise them in order to send spam,
                                                                         Spam in business email – 97%
       and blackmail companies with distributed denial-of-service
       attacks.                                                          New types of spam – Cell, Facebook and backscatter
       Financially motivated criminals are creating and spreading        Top host for malware – Blogger (
       new malicious code at an accelerated rate. According to
       independent testing organization, there are now
       over 11 million unique malware samples in its collection.        Once again, increased flexibility in working practices, new
                                                                        and more complex operational threat methods, and a raft
       SophosLabsTM – a global network of researchers and               of new scams have continued to place a heavy burden on
       analysts – receives approximately 20,000 new samples of          businesses and the threat landscape remains challenging for
       suspect software every single day. Many of these samples         the months ahead.
       are Trojan horses, designed to silently steal information from
       computer users or compromise their PCs and take control of

       SophosLabs is also encountering some highly crafted
       viruses (as opposed to Trojans) that are reminiscent of the
       deliberately complicated malware of the early 1990s, such
       as complex polymorphic viruses which go to great lengths to
       try to avoid detection by anti-virus software.

       This “conveyor belt” of computer crime has led to masses of
       new malware being pumped out onto the internet every day,
       in the hope that some of it might slip past innocent users’
       anti-virus defenses, and make them the next victims.

2008                                                                                                  Sophos security threat report   1

    Malicious webpages
    Our growing dependence on the web for making purchases          on a web form, is not correctly filtered or checked and
    and gathering information makes it an ideal hunting ground      unexpectedly executes as code, peppering the database with
    for cybercriminals chasing poorly protected users, and the      malicious instructions. Recovery can be painful, and there
    web has become the primary vector by which hackers try to       are numerous cases of website owners cleaning up their
    infect business computers with malware.                         database only to be hit again a few hours later.

    In 2007, SophosLabs discovered one new infected webpage         The best solution is prevention. Published advice about
    every 14 seconds. In the first six months of 2008 that figure   preventing SQL injection attacks can be found on the
    rose to one every five seconds, or an average of 16,173         SophosLabs blog8 and in an advisory published by Microsoft
    malicious webpages every day – and 90 percent of these          at the end of June 2008.9
    webpages are on legitimate sites which have been hacked.
                                                                    Aside from SQL injection, the first half of 2008 has also
    The following is just a tiny sample of the hundreds of          revealed other trends in web-based malware. Hackers
    thousands of affected websites around the world which           use established websites like Blogspot and Geocities, that
    have fallen victim to a malicious attack and demonstrates       make it easy for people to create their own sites, to host
    that it is not just small-scale sites that are affected:        their malware because new pages are trivial to set up
                                                                    without requiring identification. In addition, some security
    •   January 2008 Thousands of websites belonging to             products struggle to protect their users against malware
        Fortune 500 companies, government agencies and
                                                                    on these sites for fear of blocking legitimate pages. In June
        schools were infected with malicious code.1
                                                                    2008 Blogger ( was responsible for hosting
    •   February 2008 UK broadcaster, ITV, was the victim of        2 percent of the world’s web-based malware, making it the
        a poisoned web advert campaign, designed to deliver
                                                                    primary host of malicious code worldwide.
        scareware to Windows and Mac users.2
    •   March 2008 A Euro 2008 soccer ticket website was
        hacked by cybercriminals in order to infect unwary fans’    Malware families found on the web
        computers3 and anti-virus firm Trend Micro found some
                                                                    The following chart shows the top malware discovered on
        of its webpages had been compromised.4
                                                                    websites in May and June 2008.
    •   April 2008 Cambridge University Press’s website was
        compromised and visitors to its online dictionary were        Mal/Iframe 34%
        subject to attempts to run unauthorized hacker’s script      Mal/ObfJS 25.6%
        on their computers.5                                        Mal/Badsrc 23.5%
    •   June 2008 As the Wimbledon tennis tournament opened             Troj/Unif 7.0%
        in the UK, the Association of Tennis Professionals (ATP)
                                                                     Troj/Decdec 1.7%
        website was infected.6
                                                                        JS/Redir 1.4%
    •   July 2008 Sony’s US PlayStation website suffered an
                                                                        Troj/Fujif 1.0%
        SQL injection assault which put visiting consumers at
        risk from a scareware attack.7                                Troj/Iframe 0.6%
                                                                     JS/Encharc 0.4%
    One of the reasons the web is so popular with attackers          Mal/Psyme 0.4%
    is that innocent sites can be compromised and used to
                                                                           Other 4.4%
    infect large numbers of victims. However, it is not just the
    unsuspecting visitor who is the victim – the owner of the
                                                                                    Top malware hosted on websites
    website also suffers.
                                                                    The chart is dominated by malware commonly associated
    This is particularly apparent with one of the major headline    with SQL injection attacks. For example, a Mal/Iframe
    grabbers of the first half of 2008 – SQL injection attacks      attack can be invisible to the naked eye, exploiting simple
    which exploit security vulnerabilities and insert malicious     HTML code to place a pinprick-sized element 1x1 pixel in
    code (in this case script tags) into the database running a     scale, through which malware can be run from a third-party
    website. The attack works when user input, for instance         website. Used in conjunction with an SQL injection attack,
                                                                    this can be an effective weapon for hackers.

2       Sophos security threat report                                                                                               2008
       Controlling web browsers inside the enterprise                            Web server infections
       Hackers have increasingly turned to compromising                          The chart shows which web server software is most
       legitimate websites by inserting malicious code that                      commonly used on infected websites.
       redirects browsers to sites hosting malware. Similarly
       phishers have been taking advantage of vulnerabilities and
       security weaknesses in web browsers to trick users with
                                                                                                                                Apache 59.1%
       authentic looking replicas designed to collect sensitive                                            23.8%
       personal and company information which can then be used                                                                  IIS 23.8%
       for financial gain.
                                                                                                  %               7.8%
                                                                                                                                GFE 7.8%

       A well-managed web browser, where vulnerabilities are                                                                    nginx 4.8%
       patched and options are appropriately set, helps to preserve                                        4.5%                 Other 4.5%
       the integrity of corporate networks. Indeed, 70 percent of
       system administrators want the ability to block unauthorized
       web browsers or out-of-date versions of approved browsers
       inside their organization.                                                Web server software most commonly hit by web infections
                                                                                                     Jan–Jun 2008

                                        42% Is essential to block unauthorized
                                             web browsers or out-of-date
                                             versions of approved browsers       Almost 60 percent of web-based threats in January to
                              30%                                                June 2008 have affected Apache servers. This is a notable
                                        28% Want to block unauthorized

        42%                                  web browsers or out-of-date         increase from the level seen during 2007, when Apache
                                             versions of approved browsers
                                                                                 web servers accounted for less than 49 percent of web-
                                        30% Browser control not important        based infections. A large number of Apache servers are
                                                                                 hosted on Linux or some flavor of UNIX, highlighting the
                                                                                 fact that malware is not just a Microsoft problem.

                                                                                 While it is true that there is less malware written to target
                   Sophos web poll, 304 respondents,                             Linux and UNIX, the websites are not necessarily safe from
                        16 May – 4 June 2008                                     attack. This is because the attacks target the website – not
                                                                                 just the server – and often attempt to embed scripts or
       The 30 percent of administrators who do not consider                      redirections to malicious code.
       browser control to be important might want to revisit this
       issue since unauthorized browsers generate real security
       and productivity issues. Setting down a policy that controls
       which web browser and version type employees can use,
       administrators are simplifying the job of keeping the web
       secure, which is particularly important in light of the
       increased malware activity on the web.

       Aside from the risks posed by cybercriminals, “browser
       wars” have opened up a competitive, fast-paced and varied
       landscape. Beta versions and updates of popular browsers
       are entering circulation on a near daily basis, some
       incorporating media streaming and file-sharing capabilities,
       making it increasingly difficult for administrators to secure
       the endpoint computers in their organization.

2008                                                                                                               Sophos security threat report   3
    Top malware-hosting countries
    The chart showing which countries contain the most
    malware-hosting webpages reveals some interesting

    •     The US – tops the chart with just under two in every five
          infected webpages based there.
    •     China – topped the chart in 2007 and was responsible
          for hosting 53.9% of infected pages on the web, but has
          returned to its 2005 positioning, serving up just a third
          of the poisoned pages on the internet.
    •     The Czech Republic – a new entrant on the list, hosting
          just under than 1 percent of all of the world’s malware
          on the web.
    •     France, Canada, Taiwan and South Korea – were
          present in positions six, seven, nine and ten respectively
          in the 2007 chart but now have too few malicious sites
          to appear on the chart.

        United States 38.0%
               China 31.3%
              Russia 10.8%
             Germany 2.4%
              Ukraine 1.9%
               Turkey 1.8%
    United Kingdom 1.3%
             Thailand 1.1%
          Netherlands 1.0%
        Czech Republic 0.9%
                Other 9.5%

                       Top malware-hosting countries

4         Sophos security threat report                                2008

       Malicious email attachments
       Only 1 in every 2500 emails examined during the first six      The Pushdo campaigns use sophisticated techniques in an
       months of 2008 was found to contain a malicious email          attempt to avoid detection, including obfuscating the code
       attachment, compared to 1 in 332 in the first half of 2007.    using different types of packer. Although Pushdo has been
                                                                      seen infecting users predominantly via email, it has also
       The chart shows the top families of malware spreading via      used web-based attempts to infect users.10
       email attachments in January to June 2008.
                                                                      The second most prevalent malware spreading via email
                                                                      attachments is Netsky, written by German teenager Sven
        Troj/Pushdo 31.0%
                                                                      Jaschan and spreading since 2004 – proving that a
        W32/Netsky 20.1%                                              worrying number of users have not updated their anti-virus
         W32/Mytob 6.7%                                               defenses for over four years.
         W32/Traxg 6.0%
           Troj/Agent 5.9%
                                                                      Email links to malicious webpages
       W32/MyDoom 3.0%
          Troj/Mdrop 1.8%                                             The huge change in the numbers of infected attachments in
           W32/Zafi 1.6%
                                                                      emails does not mean that email itself is less of a threat. It
                                                                      is how email is being used to infect users’ computers that
          W32/Bagle 1.4%
                                                                      has radically changed.
         W32/Nyxem 1.3%
             Other 21.2%
                                                                      Rather than incorporating malware into the email in a form
       Top ten viruses families spreading via email attachments       of an attachment, cybercriminals are using unsolicited
                                                                      email, or spam, to provide links to compromised websites.
       Pushdo’s rapid dominance of the email attachment malware       Unfortunately, there is still a common belief that spam
       chart – accounting for almost a third of all reports during    is not a threat but with virtually all of it unwanted, and
       the first six months of 2008 is significant, having not made   a dangerous proportion linking to infected websites,
       an impression in the statistics collected for 2007. However,   organizations should secure their email and web gateways
       although being at the top of the chart it has not spread as    just as fastidiously as their desktops and laptops.
       virulently as the mass-mailing worms like Netsky, Bagle and
       Sobig that were first seen in 2003 and 2004.
                                                                      Targeted malware
                                                                      The first half of 2008 has seen very focused malware
                                                                      attacks, which are designed to infect specific individuals
                                                                      and corporations rather than the internet community at
                                                                      large. Like spear-phishing (described below), targeted
                                                                      malware attacks are small-scale, usually sent as if from a
                                                                      member of your own company (in other words somebody
                                                                      you are more likely to trust), and typically designed to get
                                                                      the user to click on an infected email attachment.
          Five minutes in malware – rapidly spammed Pushdo
                              campaign                                In April 2008 there was a specifically targeted email
                                                                      campaign sent to chief executive officers of various
       The Pushdo Trojan is spammed out using a rapidly changing      companies. The emails all related to federal subpoenas,
       subject line and claiming, for example, to have attached       pretended to be from the US Federal courts, and tried
       photographs of a nude Angelina Jolie or Nicole Kidman.         to frighten their hand-picked recipients into opening a
       Typically the Trojan drops another piece of malware (called    dangerous attachment.11
       Pushu) which itself then downloads further malware, such
       as a rootkit, from the internet.

2008                                                                                                  Sophos security threat report    5
    Non-Windows malware

    Apple malware                                                    •   The use of Intel-based chips in Apple Mac hardware
                                                                         has made use of Windows on Macs more common, so
    Apple Macs
                                                                         Macs are more likely than before to be harboring and
    The Apple malware problem is currently tiny compared                 spreading Windows malware.
    to the situation for Windows users. However, since the
                                                                     •   The first half of 2008 has seen record laptop sales
    emergence of the first financially motivated malware for
                                                                         reported by Apple, with some users disgruntled with
    Mac OS X in late 200712 there have been more attempts by
                                                                         Windows Vista attracted to the Macbook brand.15 As the
    hackers to infect Mac computers.
                                                                         marketshare for Apple Macs increases, Sophos believes
                                                                         that users are likely to see more attacks launched
    In February 2008, Sophos discovered a new Flash-based                against their personal computers.
    Trojan, Troj/Gida-B designed to scare users into purchasing
    bogus security software, using poisoned web adverts that
    would lead to a scareware attack that worked equally well        Nevertheless, with so many Windows home users seemingly
    on Mac and Windows computers.13                                  incapable of properly defending themselves against the
                                                                     avalanche of malware and spyware being created for their
    The OSX/Hovdy-A Trojan, discovered in June 2008, is              platform it seems sensible to suggest that some of them
    capable of infecting Mac OS X computers and attempts to          should consider switching to the Apple Mac platform. This
    steal passwords, open firewalls to give access to hackers,       suggestion is made not because Mac OS X is superior – but
    and disable security settings. It takes advantage of the         because there is simply significantly less malware currently
    recently reported ARDAgent vulnerability in Mac OS X, to         being written for it. So cybercriminals looking to maximize
    gain root access. Once a computer has been exploited, the        their return are likely to stick mostly to attacking Windows
    hacker can gain complete control of the compromised Mac –        computers for the foreseeable future.
    covering their tracks by disabling system logging.14
                                                                     However, the likelihood is that there will continue to be
    There are several reasons why Mac users should be wary:          malware written for Apple Macs, and Mac users should
                                                                     continue to follow safe computing best practices like
    •   A higher level of security complacency in the Apple          running an anti-virus product and keeping up-to-date with
        community, with many Apple users incorrectly believing
                                                                     security patches.
        that they are immune from the problem of internet
        security threats, risks making Mac users a soft target for
        future hacker attacks.

6       Sophos security threat report                                                                                               2008
       iPhone                                                                Linux malware
       There is no disputing that the 3G version of the iPhone               Apple is not the only non-Microsoft platform to be under
       is going to prove more attractive to business and internet            threat of malware attack. In February 2008, Sophos
       users than its predecessor owing to its superior internet             reported that a six-year-old Linux virus, RST-B, was being
       connectivity and its cheaper price point. This increased              seen in surprising quantities infecting Linux computers and
       marketshare, however, may in turn herald more concerted               servers.
       attempts by criminals to take advantage of the devices in
       future.                                                               After releasing a free tool and carrying out further research,
                                                                             SophosLabs found several thousand Linux computers with
       Although simple malware has been seen,16 the Apple                    root level infections of Linux/RST-B, allowing hackers to
       iPhone has not yet been the target of commercially                    use the Linux computer to control botnets (networks of
       motivated hackers.                                                    compromised computers). It should be noted that only root
                                                                             level infections were examined; figures for compromised
       However, security flaws have been found in Apple’s mobile             non-root accounts would have resulted in even higher
       email application and Safari browser, and the company has             reports of infestation.
       been criticized17 for not patching these flaws in the iPhone
       at the same time as its other computers running versions of           Examination of the statistics revealed that most of the
       Mac OS X.                                                             infections were in the USA* as can be seen in the chart.

       One thing that Apple iPhone users do need to be aware of is           Interestingly, Japan, which is a large market for Linux,
       that they may be more vulnerable to phishing attacks than
                                                                             comes in at eleventh position with 2.3 percent of infections.
       their desktop counterparts:
       •   Because they have to enter URLs via the touch-sensitive           Linux users are encouraged to investigate the free Sophos
           screen, iPhone users may be more willing than when
                                                                             tool to check if they are also infected by RST-B.19
           using a real keyboard to click on links to what they
           assume is their online bank, eBay and the like in
                                                                                 USA 22.0%
           unsolicited emails.
                                                                               China 10.0%
       •   In the iPhone version of the Safari web browser, a URL
                                                                              Germany 6.5%
           embedded in an email is not displayed before it is
           clicked on, so iPhone users might be more susceptible to              Brazil 6.1%
           scams as it is harder for them to tell if the web link they           Korea 4.1%
           are about to select is, for example, to a bogus banking              Taiwan 3.9%
           website.                                                             France 3.3%
                                                                                  Italy 3.1%
       Furthermore, the issue has been raised that with the Apple
                                                                                 India 3.1%
       iPhone’s browser displaying only partial URLs in its address
       bar, it makes it easier for cybercriminals to fool users into            Poland 2.9%

       believing they are on a legitimate website.18                            Other 35.0%

                                                                                                   Linux/RST-B infections

       * Sophos would like to acknowledge the assistance of Accretive Networks for its help in producing these statistics

2008                                                                                                            Sophos security threat report   7

    Email spam                                                     Phishing campaigns
    Email spam continues to plague computer users. By June         Sophos continues to see widespread phishing email
    2008, the level of spam had risen to 96.5 percent of all       campaigns targeting the users of online financial
    business email, up from 92.3 percent in the first three        institutions, and popular auction and payment websites.
    months of the year. Corporations are now facing the fact       In recent months social networking websites like Facebook
    that only one in 28 emails is legitimate.20                    have also caught the interest of phishers.22

    During the first six months of 2008, Sophos experts
    discovered on average 8,330 new spam-related webpages
    each day, approximately one every 20 seconds. The
    peak was in January when there was a major outbreak
    of the Storm worm – at its height an astonishing 1 in 6
    of all emails pointed computers to a maliciously infected
    webpage.21 This contributed to a high of one new spam-
    related webpage every three seconds. Fortunately,
    subsequent months did not see a comparable spam and
    malware campaign.
                                                                                  A Facebook phishing website

    There is a growing trend for spammers to host their content    There have also been more sophisticated targeted attacks
    and websites on Chinese web servers. This has caused           against particular organizations and individuals. The
    problems for some security companies because it is harder      technique, known as spear-phishing, involves emails that
    to get visibility on Chinese domain name information than it   have been personalized to a specific domain or organization.
    is for other countries. There are also language and cultural   They appear to come from a trusted source, such as a
    issues which have conspired to make it more difficult to get   member of IT staff at the same company as the recipient,
    some offending websites taken down promptly.                   and ask for usernames, passwords, and potentially other
                                                                   personal information, sometimes redirecting recipients to
    From the criminals’ point of view the use of Chinese domain    a bogus version of the company website or intranet. Those
    names is attractive, as they do not have to change their       who reply to these messages will inadvertently be supplying
    domain so regularly and may be able to operate for a longer    information that the phisher can use for malicious purposes,
    period of time.                                                such as identity fraud.

                                                                   The University of Waterloo23, Oak Ridge National
                                                                   Laboratory24 and the University of Minnesota25 are amongst
                                                                   the many organizations to have been on the receiving end of
                                                                   this kind of attack.

                                                                   Spear-phishers can easily generate the victims’ addresses by
                                                                   using spammers’ software that, for example, combines given
                                                                   names and family names. They might also have exploited a
                                                                   list of employees by finding a directory on a network such
                                                                   as Facebook or LinkedIn. And because the phishing emails
                                                                   are sent only to a single domain, it is less likely that they
                                                                   will appear on a security vendor’s radar.

8      Sophos security threat report                                                                                               2008
       It is important to remember that phishing campaigns are          Dirty dozen
       not specific to any one operating system, and can affect         The list of “dirty dozen” spam-relaying countries in April to
       any internet user regardless of whether they use Microsoft       June shown in the chart and reflects a concern that botnets
       Windows, Mac OS X or a brand of UNIX. Because they               are having an increasing impact in nations with growing
       exploit trust and human nature rather than software they are     economies as these begin to appear in the chart.
       likely to continue to be a problem for the foreseeable future.
                                                                            United States 14.9%
                                                                                    Russia 7.5%
       Botnets                                                                      Turkey 6.8%
                                                                            China (incl HK) 5.6%
                                                                                     Brazil 4.5%
       Virtually all spam is sent from compromised computers
                                                                                   Poland 3.6%
       (called “bots” or “zombies”) that unbeknown to their
                                                                                      Italy 3.6%
       innocent owners are being used by hackers to send out large             South Korea 3.5%
       volumes of spam, launching distributed denial-of-service         United Kingdom 3.2%
       attacks, or stealing confidential information. Typically they                 Spain 3.2%
       are home users who are not properly protected with up-to-                 Germany 3.0%
                                                                                 Argentina 2.9%
       date anti-virus software, firewalls and security patches.
                                                                                   Other 37.7%

       It is important that more be done to raise awareness                    “Dirty dozen” spam-relaying countries Apr–Jun 2008
       amongst computer users about the importance of keeping
       their PCs secure.
                                                                        •      The US – has decreased its contribution to the spam
                                                                               problem, relaying less than 15 percent of all spam
                                                                               compared to a fifth in the same period in 2007.
                                                                        •      China – has also dropped from its earlier second position
                                                                               in the chart, having been displaced by Russia and Turkey.
                                                                        •      Argentina – the fastest growing economy in South
                                                                               America is a new addition to the chart this quarter,
                                                                               knocking France out of the chart to take 12th place and
                                                                               now responsible for relaying 2.9 percent of the world’s
                                                                               spam email.
                                                                        •      Turkey – has risen from ninth place and 2.9 percent
                                                                               in the second quarter of 2007, to third place and 6.8
                                                                               percent so far this year.

                                                                        Viewed by continent, the breakdown of spam-relaying countries
                                                                        shows Asia as delivering more than one-third of all spam.

                                                                                                                   Asia 35.4%

                                                                                                                   Europe 29.5%

                                                                                                                   North America 18.2%

                                                                                                                   South America 14.8%

                                                                                                                   Africa 1.2%

                                                                                                                   Other 0.9%

                                                                                      Spam-relaying continents Apr –Jun 2008

2008                                                                                                       Sophos security threat report   9
     Backscatter spam                                                Cellphone spam

     A noticeable spam trend during the first half of 2008 was       Another growing method for spammers to spread their
     the growth in the number of non-delivery report (NDR)           messages is via SMS texts sent to cellphones.
     messages generated by mail systems that accept spam
     messages during an SMTP session. If there is a delivery         According to the Internet Society of China, 353.8 billion
     error (for instance, “mailbox full” or “user doesn’t exist”),   spam messages were sent to the country’s cellphone owners
     the system attempts to send a bounce message back to the        in the last year. As a consequence, China’s 574 million
     supposed original sender.                                       mobile phone users, receive on average over 600 spam
                                                                     messages each year. Of the 438,668 spam complaints
     The bounce message is directed to the email address found in    received in June 2008, 39.17 percent were regarding
     the envelope sender information (the Return-Path header) in     fraudulent texts and 36.28 percent were commercial
     the original message. Because this address has been forged      adverts.26
     in most spam messages, the bounce message is delivered
     to a mailbox of a sender who did not send the original spam     The problem is not confined to China, however. For
     message. This is known as “backscatter spam”.                   instance, in April 2008, the switchboard of Dublin Zoo was
                                                                     swamped after at least 5000 people were spammed an
     Specific addresses or domains that are favorites of             SMS text message to their cellphones telling them to ring
     spammers can be the target of hundreds, or even                 a number urgently and ask for a fictitious person.27 The
     thousands, of backscatter spam messages every day.              number was that of the main phoneline to Dublin Zoo and
                                                                     the fake names all animal-related (Rory Lion, Anna Conda,
                                                                     C Lion or G Raffe according to the news reports). Zoos in
                                                                     Houston28 and Brownsville, Texas29 suffered from similar
                                                                     attacks in the following month.

                                                                     Spamming a lot of people via text message is an effective
                                                                     way of generating a flash-flood denial-of-service attack
                                                                     against the telephone system of an organization. As mobile
                                                                     operators give away more and more free texts per month
                                                                     as part of their calling-plans, and make available SMS web
                                                                     gateways that can be exploited by hackers, we may see
                                                                     more spammers using SMS to clog up phone lines.

10      Sophos security threat report                                                                                             2008
       Web 2.0

       Social/business-networking spam and malware
       Social networking websites, like Facebook, MySpace, Bebo       Industry networking website LinkedIn has also not been
       and other Web 2.0 sites, have exploded in popularity in        immune to attack, with phishers and scammers using the
       the last few years – a trend that has not gone unnoticed by    site to target successful business people. In May 2008 a
       cybercriminals. Computer users, used to an onslaught of        ‘419 scam’ sent via the LinkedIn website claimed to come
       unsolicited email in their inbox, appear to be less cautious   from a 22-year-old woman living in the Ivory Coast who had
       when messages arrive via other routes, such as instant         been left $6.5 million by her deceased father.31
       messaging or Facebook.30

                                                                                             LinkedIn scam

                                                                      Malware authors have also looked with greedy eyes at
                                                                      the pool of potential victims available to them on social
                                                                      networking sites:

                                                                      •   May 2008 Vkontakte, the most popular Russian social-
                                                                          networking site with over 12 million members, was
                                                                          struck by a worm which spread via the system, wiping
                                                                          files from hard drives.32
                             Facebook spam
                                                                      •   December 2007 Google’s Orkut networking site in
                                                                          December 2007 was struck by malware which used a
                                                                          cross-site scripting (XSS) attack to infect hundreds of
                                                                          thousands of members’ profiles.33

                                                                      As more and more companies put defenses in place at
                                                                      their email gateway, and home users are protected by their
                                                                      ISP or web email account provider, criminals may have to
                                                                      become more inventive in how they deliver their messages
                                                                      and malware. While the current level of Facebook, Bebo
                                                                      and LinkedIn spam is still dwarfed by email spam, there
                                                                      are likely to be more attempts to use Web 2.0 websites to
                                                                      spread malware and spam in the future.

2008                                                                                                  Sophos security threat report   11

     Arrests and the law
     With international computer crime authorities joining          April 2008 An Israeli court jailed three members of the
     efforts in a bid to bring down hackers, malware authors        Modi’in Ezrahi private investigation firm after they were found
     and spammers, the past six months have seen more arrests       guilty of using a Trojan to steal commercial information.39
     and harsher sentences for criminals involved in high-profile
     financially rewarding computer crimes.                         May 2008 22-year-old Thomasz Grygoruk was sentenced
                                                                    to three years in jail, after being found guilty of stealing
     Below are some of the cases that made the news in the first    personal information from thousands of people over the web
     half of 2008.                                                  in a five-year spree, using a combination of Trojans and fake
                                                                    banking websites.40
     January 2008 Three men who constructed an elaborate
     email scam which involved them claiming that they had          May 2008 Mark Richman and Nathaniel Seidman, the
     throat cancer, pleaded guilty in a New York court house        owners of a company based in Boca Raton, Florida, were
     to stealing more than $1.2 million. The men sent emails        fined $75,000 under the CAN-SPAM act for sending
     which claimed to come from a victim of terminal throat         unsolicited spam messages with faked headers and lurid
     cancer who wanted to distribute $55 million to charity. One    subject lines in an attempt to promote websites such as
     of the gang, Nnamdi Chizuba Ainsiobi, is then said to have
     telephoned recipients, disguising his voice to pretend he
     was that suffering from the disease.34                         May 2008 Authorities in the USA and Romania charged
                                                                    a total of 38 people suspected of running an international
     February 2008 An American teenager pleaded guilty              crime ring that sought to steal from thousands of
     to seizing control of hundreds of thousands of zombie          consumers, targeting hundreds of financial institutions
     computers, including some that were based at the Weapons       through phishing emails and SMS text messages.42
     Division of the US Naval Air Warfare Center in China Lake,
     California and at the US Department of Defense, using them     June 2008 19-year-old Jason Michael Milmont admitted
     to display cash-generating adverts.35                          to being the programmer of the Nugache malware
                                                                    which infected Windows computers, turning them into a
     March 2008 Lee Shin-ja, the former CEO of Korean security      sophisticated P2P-controlled botnet with between 5,000
     company Media Port, was charged with distributing bogus        and 15,000 compromised PCs at any one time. Milmont
     anti-spyware software to over a million people, allegedly      used stolen bank information to take over victims’ accounts,
     earning over 9.2 billion won (approximately US $9.8            and order goods to be sent to vacant addresses in the
     million) since 2005 with a free anti-spyware program that      Cheyenne, Wyoming area.43
     displayed fake security warnings and directed internet users
     to purchase Media Port’s Doctor Virus clean-up solution.36

     March 2008 A Chinese court handed out jail sentences of
     between six and a half and eight years to four men who
     used a Trojan to steal internet bank account information.37

     April 2008 Edward “Eddie” Davidson, was jailed for 21
     months and ordered to pay $714,139 to the IRS after he
     was found guilty of tax evasion and falsifying email headers
     in hundreds of thousands of spam messages. By marketing
     perfume and luxury watches and by manipulating the stock
     market with pump-and-dump scams Davidson allegedly
     made at least $3.5 million.38

12      Sophos security threat report                                                                                                 2008
       State-sponsored cybercrime
       Countries are spying on each other all across the world for      In truth, there is simply not enough evidence to say
       political, commercial and military advantage and it would        whether these or other attacks are state-sponsored rather
       be naive to think that nations would not take advantage of       than coming from the desk of a government worker or a
       computers and the internet to assist them in their espionage     teenager’s bedroom. Governments need to think carefully
       activities.                                                      before accusing another of spying via the internet unless
                                                                        they have strong proof.
       During 2007 it became common for countries to openly
       accuse each other of engaging in spying via the internet,        However, these reports do underline the importance
       for example with the Chinese military being blamed for a         of everyone making computer security a priority and
       cyberattack on a Pentagon computer system in September           there is no doubting the importance of securing critical
       2007. Concern about state-sponsored cybercrime climaxed          computers inside government from hackers whether
       at the end of 2007, with a discovery that MI5, the British       motivated by politics, espionage or money. The advice
       Security Service, had written to 300 chief executives and        for companies, organizations and governments alike is to
       security chiefs at UK companies warning them of the              keep their malware defenses up-to-date and ensure that
       “electronic espionage attack”.44                                 proper security is in place to prevent intruders (be they
                                                                        cybercriminals or foreign government spies) from stealing
       The first six months of 2008 have seen more reports of alleged   information.
       government sponsored cybercrime – and even though it can be
       extraordinarily difficult to prove an attack has been endorsed
       by a state, rather than being the act of a independent group
       of hackers 2008 is likely to bring more claims of countries
       attacking and spying on each other via the internet.

       April 2008 Der Spiegel reported that the BND – Germany’s
       foreign intelligence service – used spyware to monitor
       the Ministry of Commerce and Industry in Afghanistan.
       Confidential documents, passwords and email
       communications are said to have been compromised by
       German spies, and sent to the BND’s headquarters. The
       news followed revelations that the BND had intercepted
       emails between Spiegel journalist Susanne Koelbl and
       Afghanistan’s Commerce Minister Amin Farhang, and
       resulted in a diplomatic row between the countries.45

       May 2008 Senior Indian government officials in New Delhi
       were said to have confirmed that Chinese hackers targeted
       the Ministry of External Affairs and the National Informatics
       Centre, which provides the network backbone for central
       and state government, as well as other administrative
       bodies in India. The unnamed officials were quoted as
       saying that this is China’s way of gaining “an asymmetrical
       advantage” over a potential adversary.46

       May 2008 Belgium also accused the Chinese government of
       cyber-espionage, claiming that hacking attacks against the
       Belgian Federal Government had originated in China, and are
       likely to have been at the bequest of the Beijing government.
       Separately, the Belgian minister of foreign affairs told
       parliament that his ministry had been the subject of cyber-
       espionage by Chinese agents several weeks before.47

2008                                                                                                  Sophos security threat report   13
     Strategic global insight from SophosLabs
     Through the powerful integration of cross-threat expertise, automated systems and leading-edge technology,
     SophosLabs has the global visibility and 24/7 research operation to provide the proactive protection and
     rapid response that businesses need to safeguard their security, productivity and regulatory compliance.
     Its expertise underpins all Sophos’s web, email and endpoint security and control solutions. SophosLabs’
     alert services, ZombieAlert and PhishAlert inform organizations if any of their computers have been
     compromised and turned into zombies, or if their brand is being used in phishing campaigns.

     SophosLabs’ broad base of data sources includes:

     •   Spam traps in over 50 countries, providing instant
         visibility of new spam campaigns
     •   Global email traffic from thousands of customer
     •   Third-party resources that report and share
         threat information
     •   Data-sharing partnerships with search engines
     •   Millions of daily feeds of malicious URLs.

     To find out about Sophos products and how to evaluate them, please visit

14       Sophos security threat report                                                                            2008
18. ‘iPhish: Phishing Vulnerabilities on Consumer Electronics’, by Yuan Niu, Francis Hsu, Hao Chen, University of California,

Boston, USA • Oxford, UK

To top